Year 2023 in retrospect:

Regulatory changes for NBFCs

 Copyright & Disclaimer

◼ The presentation is a property of Vinod Kothari Consultants P. Ltd. No part of it can be copied, reproduced or
distributed in any manner, without explicit prior permission. In case of linking, please do give credit and full link
◼ This presentation is only for academic purposes; this is not intended to be a professional advice or opinion.
Anyone relying on this does so at one’s own discretion. Please do consult your professional consultant for any
matter covered by this presentation.
◼ No circulation, publication, or unauthorised use of the presentation in any form is allowed, except with our prior
written permission.
◼ No part of this presentation is intended to be solicitation of professional assignment.
 List of Circulars
◼ SBR Framework: ◼ Credit Information:
◼ Circulars applicable from 2023 ◼ Framework for compensation to customers for
◼ SBR Master Directions, 2023 delayed updation/ rectification of credit information
◼ Fair Practices in Lending: ◼ Strengthening of customer service rendered by CICs
◼ Penal Charges in Loan Accounts and Credit Institutions
◼ Reset of Floating Interest Rate on EMI based Personal Loans ◼ Data Quality Index for Commercial and Microfinance
◼ Display of information - Secured assets possessed under SARFAESI Segments by CICs
◼ Release of Movable / Immovable Property Documents on ◼ Information Technology:
Repayment/ Settlement of Personal Loans ◼ Master Direction on Information Technology
◼ Prudential measures: Governance, Risk, Controls and Assurance Practices
◼ Regulatory measures towards consumer credit & bank credit to ◼ Master Direction on Outsourcing of Information
NBFCs Technology Services
◼ Framework for Compromise Settlements and Technical Write-offs ◼ Innovations and newly introduced concepts:
◼ Guidelines on Default Loss Guarantee in Digital Lending ◼ ONDC for Financial Services
◼ Lending and investment segments: ◼ Operation of Pre-Sanctioned Credit Lines at Banks
◼ PM Vishwakarma Scheme through Unified Payments Interface (UPI)
◼ Framework for Green Deposits ◼ DPDP Act, 2023
◼ Expanding the Scope of Trade Receivables Discounting System ◼ Draft regulations for comments:
◼ REs’ Investment in AIFs ◼ Wilful Defaulters (Draft)
◼ Amendments to the KYC Master Directions ◼ Master Directions on Outsourcing of Financial Services
(Draft)
Scale-based Regulations
 Applicability of SBR Framework- Timelines

ICAAP Disclosure Requirements

Director’s relevant experience including CG Report
Risk Management Committee (Annual Financial Statements for FY
Concentration norms ending March 31, 2023)

April 1, 2022 October 1, 2022 March 31, 2023

Sensitive Sector Exposure

Limit on IPO Financing Loans, advances and awarding of contracts to
directors and senior officers April 1, 2023 Compensation Guidelines
Reporting on implementation
of CFSS

October 1, 2023

NPA transitioning Compliance Function

(Beginning date of NPA March 1, 2024 NOF Requirement
transitioning. To align with more (Beginning date. To reach Core Financial Services Solution
than 90 DPD by March 31, 2026) Rs.10 crores By March 31, 2027) NBFC-ML with >=10 FUs

March 31, 2025 September 30, 2025

Fair Practices Code
 Levy of Penal Charges
Penal Charges
◼ Penalty is not in the nature of interest or additional interest and What is penalty?
therefore, cannot be capitalised.
◼ Penal charges may either be Penalty or penal charges are imposed for
breach of terms or irregularity in
◼ standardized across all loans and borrowers or
performance. For example:
◼ may depend upon the ● Not meeting payment timelines
◼ type of loan, ● Cheque or NACH bounce
◼ level of credit risk, and ● Failure to create security or register
◼ the terms and conditions as mutually agreed by the borrower and the charges
lender.
● Breach of important or material
◼ Penal charges should be representations and warranties
◼ reasonable and ● Covenant breaches, such as late
◼ commensurate with the non-compliance of material terms and reporting
conditions of loan contract ● Failure to submit the requisite
◼ not be discriminatory within a particular loan / product category documents/ information etc.
◼ Penal charges levied for individual borrowers, for purposes other
than business should not be higher than non individual borrowers
 Levy of Penal Charges: Applicability
Penal Charges- Applicability
In case of new loans

The Circular is applicable from January 01, 2024 (extended till April 01, 2024)

In case of Existing loans

By next review or renewal date falling on or after April 1, 2024, or

six months from the effective date of the Circular, whichever is earlier
(extended till not later than June 30, 2024)

For loans that do not have any review date specified, by when should compliance with the Circular be ensured?
 Reset of floating rate of interest
Reset of Floating Rate Loans
◼ With every reset of floating interest rate on EMI-based personal loans,
borrowers should be presented with the following choices:
◼ Option to switch to a fixed rate:
◼ Subject to the lender’s approved policy, (limit the frequency of rate
switches)
◼ Impose switching charges - transparently disclosed.
◼ Option to increase/decrease the EMI amount, extend/contract the
loan tenure, or both:
◼ Ensure it does not result in negative amortization.
◼ Option to partially or fully prepay the loan during its tenure:
◼ Foreclosure charges for prepayment penalties
◼ Default Option:
◼ In case a borrower does not exercise any of the above options a default
option may be exercised- should be communicated to the borrowers
◼ In most cases, this default option is an elongation of the loan tenor.
 Communications and disclosures to borrowers

Change in the
Quarterly
To existing To new charges About reset of
statement to
borrowers borrowers associated with interest
borrowers
the options
• By December 31, • At the time of • During any • Statement shall at • As and when
2023, sanctioning the change in any of minimum, there is an
• Communicate loan demonstrate the charges/ enumerate: interest rate
the various the potential costs associated • principal and reset
options available impact any with exercise of interest
and also the costs interest rate any of the recovered till
associated with reset might have options date,
them. on payment communicated to • EMI amount,
schedule, i.e, the customer at • no. of EMIs left
• EMI or the time of the • annualized
• Tenor of the loan sanction ROI/APR for
loan or the entire
• Both (EMI & tenor of the
Tenor) loan.
 Display of Information - On repossession under SARFAESI

◼ RBI vide its notification dated September 25, 2023, ◼ The following information is to be displayed;
◼ Applicable to: NBFCs (incl. HFCs) as secured ◼ Sl. No
creditors under SARFAESI Act ◼ Branch
◼ Display information in respect of the borrowers ◼ State
whose secured assets have been taken into ◼ Borrower name
possession by the REs under the Act. ◼ Guarantor name (if applicable)
◼ The said information is to be uploaded on REs ◼ Registered address of the borrower
website. ◼ Registered address of the guarantor
◼ Timeline: by March 25, 2024 ◼ Outstanding amount
◼ and thereafter monthly updation ◼ Asset classification
◼ Date of asset classification
◼ Details of security possessed
◼ Name of the title holder of the Security
possessed
 Repossession of Vehicles
Repossession of vehicles financed by NBFCs
Patna High Court
Shashi Kant Kumar vs The State Of Bihar on 19 May, 2023

◼ For repossession of vehicles ◼ Agents while interacting with customers for

◼ Notice should be given to borrower before collection of dues and/or for enforcement/
taking possession of the vehicle, for the period repossession of security/ secured assets will
mentioned in loan agreement; identify himself / herself and display the
◼ The procedure for taking possession of the asset Identity card/authority letter issued by lender
should be as mentioned in the loan agreement; upon request
◼ Final chance must be given to the borrower for ◼ Agents will document the efforts made for the
repayment of loan before repossession of the recovery of dues, as far as possible and the
property; copies of communication sent to customers, if
◼ In case repossession is to be given back to the any, will be kept on record.
borrower upon repayment of loan or otherwise, ◼ Agents can disclose details pertaining to the
procedure given in loan agreement should be
credit facilities only to the relevant borrower,
followed;
co-borrower or the co-guarantor.
◼ The procedure for sale / auction of the property
should be as mentioned in loan agreement.
 Release of Movable / Immovable Property Documents
◼ To streamline divergent practices followed ◼ The following amendments are added:
by REs in releasing all movable / immovable ◼ All original property docs to be released &
property documents charges removed within 30 days of final
◼ upon receiving full repayment and settlement
closure of personal loan account, ◼ Borrower may choose to collect docs from the
◼ RBI vide notification dated September 13, branch where loan was given or any branch
2023 has introduced guidelines for where documents are available.
responsible lending conduct. ◼ The timeline and place of return of original
◼ Applicable to all cases where release of movable / immovable property documents will
original movable /immovable property be mentioned in the loan sanction letters
◼ Delay in release of docs or charge beyond
documents in case of settlement of
30 days attracts daily compensation of Rs
Personal Loans, falls due on or after
5000 per day,
December 1, 2023. ◼ If borrower dies, documents to be returned to
legal heirs. Return procedure to be displayed on
website.
◼ In case of loss/ damage of title documents,
assistance to be provided at RE’s cost.
Prudential Measures
Regulatory measures towards consumer credit & bank credit
to NBFCs
Increased risk weights in case of Consumer Credit
Increased Risk
Increased Risk Increased Risk Sectoral Limits
Regulatory Weight in case
Weight in case Weight on on Unsecured
of CC for
Change Banks
of CC for Banks lending Credit
NBFCs to NBFCs

• February 29,
Timeline for • Effective Immediately 2024
Implementation • Increased risk weight may be applied in the capital • Effective steps
adequacy return filed with RBI may be taken
soonest
 What is Consumer Credit?

Loans for
consumer Education loans
Secured personal durables
loans secured by Consumption
gold, gold jewellery, Credit Card loans given to
immovable Receivables farmers under
property, fixed KCC
deposits
INCLUDES EXCLUDES
Auto Loans
Personal loans to Loans given for
(other than
professionals investment in
loans for
(excluding loans for financial assets
commercial
business purposes)
Loans given for use) Loans given for
other creation/
consumption enhancement of
immovable assets
purposes
 Sectoral Exposure on Consumer Credit

● Self imposed caps depending on the ● Sectoral Limits are based on Asset
business, diversification, asset focus, etc Under Management (AUM)
● No absolutism in the regulatory ● For monitoring risk exposure in FLDG
prescription the entire portfolio value has to be
● Risk Management Committee to set these considered.
sectoral caps ● Portfolio concentration may be
● In absence of Risk Management corrected by securitisation, direct
Committee the Board of Directors may assignment or Co-lending transactions.
monitor the sectoral caps
 Understanding the DLG Guidelines

◼ RBI on June 8, 2023, took the first step in recognising Cash deposited with
first loss default guarantees (‘FLDG’), provided by the RE
regulated or non-regulated entities, subject to
restrictions
◼ A contractual arrangement, called by whatever
name, between the Regulated Entity (RE) and an Fixed Deposits
entity meeting the criteria laid down at para 3 Forms of maintained with an
of these guidelines, under which the latter Guarantee SCB with a lien marked
guarantees to compensate the RE, loss due to in favour of the RE
default up to a certain percentage of the loan
portfolio of the RE, specified upfront. Any other
implicit guarantee of similar nature linked to
the performance of the loan portfolio of the RE Bank Guarantee in
and specified upfront, shall also be covered under the favour of the RE
definition of DLG.
 DLG Structure
◼ Eligibility of Guarantor ◼ Limit or capping of DLG cover
◼ LSP or other RE with which it has entered into an
outsourcing (LSP) arrangement ◼ Total amount of DLG cover on any
◼ Must be company under the Companies Act, 2013 outstanding portfolio shall not exceed 5% of
the amount of that loan portfolio
◼ DLG Agreement ◼ NBFC/Bank availing DLG
◼ DLG arrangements should be backed by an explicit ◼ Put in place a Board approved Policy
contract that shall at least contain the following -
◼ Extent of DLG cover ◼ Ensure NPA classification as per the extant
◼ Form in which DLG cover is to be maintained with asset classification and provisioning norms
the RE irrespective of any DLG cover available at the
◼ Timeline for DLG invocation portfolio level
◼ Disclosure requirements with respect to ◼ Amount of DLG invoked shall not be set off
information to be published on the LSP’s website against the underlying individual loans
◼ Tenure of DLG ◼ Share the recovery, if any, from the loans on
◼ DLG agreements shall remain in force for shall not which DLG has been invoked and realised,
less than the longest tenor of the loan in the with the DLG provider as per the terms of
underlying loan portfolio the contract.
 Actionables for DLG Provider and Beneficiary

LSP providing DLG NBFC/Bank availing DLG

◼ Must be incorporated as a company under the ◼ Put in place a Board approved Policy
Companies Act, 2013, ◼ Ensure NPA classification as per the extant asset
◼ Provide a declaration certified by its statutory auditor classification and provisioning norms irrespective of
on any DLG cover available at the portfolio level
◼ the aggregate DLG amount outstanding, ◼ Amount of DLG invoked shall not be set off against
◼ the number of REs and the respective number of the underlying individual loans
portfolios against which DLG has been provided, ◼ Share the recovery, if any, from the loans on which
◼ past default rates on similar portfolios, and DLG has been invoked and realised, with the DLG
◼ such other information to satisfy the lender that it provider as per the terms of the contract.
would be able to honour the DLG commitment
◼ Publish on their website the total number of
portfolios and the respective amount of each
portfolio on which DLG has been offered
Understanding Compromise Settlement and Technical write off
Compromise Settlement Technical Write-off
◼ Any negotiated arrangement with the ◼ The Framework defines the term as
borrower ◼ cases where the non-performing assets
◼ to fully settle the claims of the RE against ◼ remain outstanding at borrowers’ loan
the borrower account level
◼ in cash ◼ but are written-off (fully or partially) by the
◼ Such settlement may entail RE only for accounting purposes,
◼ some sacrifice of the amount due from the ◼ without involving any waiver of claims
borrower on the part of the REs against the borrower
◼ corresponding waiver of claims of the RE ◼ without prejudice to the recovery of the
against the borrower to that extent same.
Lending and Investment Segments
 PM Vishwakarma Scheme
◼ Participating Financial Institution
◼ Type of loan- Enterprise Development Loan
◼ SCBs, RRBs, SFBs, Cooperative Banks, NBFCs and MFIs,
are eligible to lend under this Scheme ◼ Maximum amount of credit support- Rs.3,00,000/-
◼ Roles and Responsibilities of the various Stakeholders ◼ First loan tranche upto Rs. 1,00,000
◼ Ensuring timely disbursement of collateral free credit. ◼ Second loan tranche upto Rs 2,00,000
◼ Streamlining and simplifying the process for smooth credit ◼ No collateral will be required to avail the loan.
disbursement at grassroot level.
◼ No prepayment penalty will be charged from the
◼ Continuous reporting of loan portfolio
borrowers after 6 months of loan disbursement.
◼ Eligible Borrowers
◼ An artisan and craftsman from 18 specified sectors as
◼ To be repaid in monthly installments.
mentioned in para 2.3 of the guidelines will be eligible to ◼ PAN requirements for the credit facilities will be as
borrow under this scheme. per the banking norms (KYC Directions).
◼ Minimum age 18 years
◼ Credit information report will be required for those
◼ The borrower should be engaged in the trades concerned
on the date of registration and should not have availed who have a credit history, for availing benefits under
loans under other CG or SG schemes. the credit component, so as to exclude any defaulter
◼ A person in government service and his/her family from availing credit again under the Scheme.
members shall not be eligible under the Scheme. ◼ However, not having credit history should not be a
◼ The registration and benefits under the Scheme shall be ground of declining of loan.
restricted to one member of the family. ◼ The eligible borrowers will be given loan at
concessional rate of fixed interest at 5% .
 Framework on Green Deposits
The Green Deposits Framework Actionables under the Framework
◼ Banks and deposit-taking NBFCs/HFCs may raise ◼ Policy on green deposits – Such policy shall be put
green deposits, in accordance with the Framework, on the website of the RE.
from 1st June, 2023 ◼ Financing Framework for allocation of proceeds
to be framed and put on website
◼ Money raised by Green deposits to be deployed
◼ Review of Financing Framework by an external
only for “green finance”
reviewer and the opinion of the external reviewer
◼ India’s taxonomy for the same to be developed. In is also required to be put on the website prior to
the meantime, a list of eligible green activities/ implementation of the Financing Framework.
projects has been announced, in line with SEBI’s ◼ Third-party verification of allocation of funds- The
definition of green bonds under NCS Regulations Report shall also be put on the website of RE.
◼ Third party assessment/verification of use of ◼ Impact assessment of use of proceeds – The
proceeds mandatory Report has to be put on the website of the RE.
◼ Impact assessment to be optional for FY 23-24, and ◼ Reporting Requirements – FRE shall place before
mandatory from FY 24-25 the Board, within 3 months from the end of the
financial year, a review report covering details as
◼ Requirement of disclosure of green deposits and prescribed. Further, the entity shall also make
utilization in the annual financial statements appropriate disclosures in its annual financial
statements in the prescribed format.
Expanding the scope of Trade Receivables Discounting System
◼ RBI has permitted insurance companies to ◼ RBI has allowed TReDS platform to undertake
participate as a “fourth participant” in TReDS, the settlement of all uploaded Financing Units
alongside MSME sellers, buyers, and financiers. (FUs), whether financed/discounted or not,
◼ TReDS platform operators shall have the flexibility using the National Automated Clearing House
to specify the stage at which insurance facilities (NACH) mechanism
can be availed ◼ TReDS platforms facilitate transparent and
◼ TReDS platforms can, with the consent of competitive bidding by the financiers.
financiers and insurance companies, facilitate
◼ The platforms have been allowed to
automated processing of insurance claims
display details of bids placed for an FU to
◼ RBI has expanded the pool of financiers on
other bidders; the name of the bidder
TReDS.
shall, however, not be revealed.
◼ In addition to banks, NBFC-Factors, and select
financial institutions authorized by the RBI, other
entities and institutions permitted by the Factoring
Regulation Act, 2011 (‘Factoring Act’) to partake
as financiers in TReDS
 RE’s investment in AIFs
Investments in AIFs where the AIFs have Investments in subordinated units of any AIF
investments in ‘debtor companies’: scheme
◼ Prohibited all regulated entities (REs), including banks, ◼ Investment by REs in the subordinated units of any
cooperative banks, NBFCs and All India Financial
Institutions from making investments in Alternative AIF scheme with a ‘priority distribution model’
Investment funds (AIFs), if the AIF has made any subject to full deduction from RE’s capital funds.
investment into a “debtor company”.
◼ Debtor company means a company in which the Impact of the circular
RE currently has or previously had a loan or ◼ Likely to impact of the flow of funds of the AIFs
investment exposure anytime during the
preceding 12 months ◼ While the bar is only for those AIFs which have invested
in “debtor companies”, it will be practically tough for
◼ The bar applies immediately, that is, effective 19th Dec REs to avoid overlapping investments. Given the severe
2023. implications of a breach, compliance-sensitive REs will
◼ No further investments to be made. If investments avoid investing in AIFs.
already exist, the RE shall exit within 30 days, that is, by ◼ There is an immediate disinvestment pressure on AIFs,
18th Jan 2024 as there may be overlapped investments. AIFs’ assets
◼ Further, if an RE has made an investment in an AIF, and are mostly illiquid – ensuring exit to RE investors may
the AIF invests in a debtor company, the RE shall make be tough. In many cases, there are lock-in restrictions as
well.
an exit within 30 days.
◼ The objective of the circular is to prevent
evergreening:
◼ Since several REs have affiliated AIFs, routing the
money through AIFs to borrowers might have led
to evergreening.
 Amendments in KYC Master Directions (April)
◼ Insertion of various definitions – The definitions of ◼ Additional documentation requirements –
“Non-profit organizations” and “Politically Exposed Additional recognized documents have been
Persons” have been amended to align those with the specified that are required to be submitted by
definitions in the PML Rules. Also, the RE shall be companies, partnership firms, and trusts for the
required to ensure the registration of customers, in purposes of conducting client due diligence.
case of NPO, on the DARPAN Portal of NITI Aayog, if
not already registered. Further, the definition of ◼ Non-face-to-face KYC (other than through the
“Group” has been added. Aahaar OTP-based e-KYC mode)- REs have been
◼ Group-level monitoring – Section 4 has been amended instructed to ensure additional enhanced DD
and a provision has been inserted advising regulated measures and high risk categorisation-
entities to ensure that a group-wide policy is ◼ V-CIP to be conducted, if provided by RE
implemented for the purpose of discharging obligations
under the provisions of Chapter IV of the PML Rules. ◼ Contact point address verification
◼ Revised criteria for Beneficial Ownership – The ◼ PAN verification
threshold for “Controlling ownership interest” for the ◼ First transaction from KYC compliant
purpose of determination of Beneficial Owner (BO)
has been revised to 10 percent for both companies customer bank account
and trusts from the earlier threshold of 25 percent ◼ Transactions shall be permitted only from
and 15 percent, respectively the mobile number used for account
opening
Amendments to KYC Master Directions (October)
Credit Information
Framework for compensation to customers for delayed
updation/ rectification of credit information
◼ Customer Alerts for Default/DPD ◼ Dedicated Nodal Point:
◼ CIs are now required to send SMS or email ◼ CIs must designate a dedicated nodal point or
alerts to customers when they submit official for CICs to address customer grievances
information to CICs related to defaults or Days promptly.
Past Due (DPD) in existing credit facilities. ◼ This streamlines the grievance redressal process.
◼ This proactive communication keeps customers ◼ Root Cause Analysis:
informed about their credit status. ◼ CIs should undertake a RCA of customer
grievances at least semi-annually.
◼ Awareness Campaigns:
◼ Top management should review the RCA
◼ CIs should organize special awareness campaigns annually to identify and rectify the underlying
to educate their customers about the benefits of issues leading to complaints.
providing mobile numbers and email addresses. ◼ Reasons for Data Rejection:
◼ This empowers customers with the knowledge ◼ CIs should inform customers of the reasons for
of how these details can be essential for timely the rejection of their requests for data
communication regarding their credit correction.
information ◼ This transparency helps customers better
understand issues in their CIR.
Strengthening of customer service rendered by CICs and
Credit Institutions
◼ Resolution of Complaints: ◼ Compensation Disbursement:
◼ To prioritize the prompt resolution of customer ◼ Ensure compensation amounts are credited to
complaints, related to credit information the complainant’s bank account within 5 working
discrepancies, forward corrected particulars of the days
credit information to the CIC within a period of 21 ◼ Recourse for Wrongful Denial:
days from the date when informed of inaccuracy ◼ If complainant believes they were wrongfully
denied compensation, they can approach the RBI
◼ Tracking and Communication: Ombudsman (if covered) or Consumer
◼ Maintain a system for tracking the progress of Education and Protection Cell (CEPC) at the
complaints and their resolution timelines. Regional Offices of the RBI
◼ Inform the concerned CIC and the complainant ◼ Training and Awareness:
about the total delay & the compensation amount ◼ Train the staff to understand and implement the
to be paid, if applicable, after the final resolution. compensation framework effectively.
◼ Incorporate Compensation Provisions: ◼ Make sure that customers are aware of their
rights and the compensation process.
◼ Integrate provisions in their complaint submission ◼ Compliance Monitoring:
formats, both online & offline, to allow complainant ◼ Regularly monitor institution’s compliance with
to submit their contact details, email IDs, bank the compensation framework.
account details or UPI IDs for compensation
disbursement
Data Quality Index for Commercial and Microfinance
Segments by CICs
Information Technology
 Master Direction on Information Technology Governance,
Risk, Controls and Assurance Practices
◼ On 7th November, 2023, the RBI notified the Master ◼ What happens to existing functional
Directions on Information Technology Governance,
Risk, Controls and Assurance Practices classification?
◼ Unified IT framework across all regulated entities ◼ These regulations shall apply on the
◼ Effective from April 01, 2024 and are applicable following NBFCs (except NBFC-CICs) as
to: per the SBR framework (‘Specified
◼ Commercial banks, including Banking NBFCs’):
Companies, Corresponding New Banks, and the ◼ Top Layer;
State Bank of India.
◼ NBFCs falling under the 'Top Layer,' 'Upper ◼ Upper Layer;
Layer,' and 'Middle Layer' categories ◼ Middle Layer.
◼ Credit Information Companies (CICs). ◼ Base layer entities are expressly excluded
◼ All India Financial Institutions (AIFIs) such as ◼ NBFC-BL shall continue to follow existing
EXIM Bank, NABARD, NaBFID, NHB, and IT Framework (Section-B)
SIDBI.
◼ However these are not applicable on:
◼ 2017 Master Direction - Information
Technology Framework for the NBFC.
◼ Local Areas Banks;
◼ NBFC – Core Investment Companies
Governance Structure
Roles and Responsibilities
Senior Management/ IT Steering Committee
Board's responsibilities
responsibilities:
● Establish and review IT-related policies annually
● Ensure execution of Board-approved strategy
(IT & Information Asset, Business Continuity,
● Ensure robust cybersecurity
Information & Cybersecurity)
● Oversee Business Continuity and Disaster Management
● Constitute IT Strategy Committee (ITSC) with 3
processes
directors, Independent Chairperson, and
● Periodically update ITSC and CEO on IT Steering
technically competent members
Committee activities
ITSC Responsibilities: ● Ensure IT infrastructure meets regulatory and statutory
● Establish effective IT planning process requirements
● Align IT Strategy with overall business objectives ● IT Steering Committee to meet quarterly
● Ensure accountable and efficient IT and Head of IT Function Responsibilities:
information security governance
● First line of defense for effective assessment,
● Implement processes for assessing and managing IT
evaluation, and management of IT controls and risks
and cybersecurity risks
● Secure information assets & ensure compliance with
● Allocate and utilize budget for IT systems
internal policies, regulatory, legal requirements on IT
● Review adequacy and effectiveness of BCP and
aspects
DRM
Committees - Composition and ToR

Committee Constitution Composition Meeting Frequency

(minimum)
IT Strategy Board level • Three directors Quarterly
Committee (ITSC) • Independent Chairperson
• Technically competent members
IT Steering Management level • Minimum of three directors as members Quarterly
Committee • Chairperson to be an independent director
with substantial IT expertise
• Technically competent members

Information Management level • CISO & other representatives from Not specified
Security -Under the Business & ITSC on recommendation of
Committee (ISC) oversight of the ITSC
ITSC
 List of Policies to be maintained
Policy Area Approving Authority Review Frequency (minimum)
Information Technology/ Information System Board Annual
Business Continuity (BCP) and Disaster Recovery (DRM) Board Annual
(to be updated based on major
developments/ risk assessment)
Information Security Board Annual
Information and Cyber Security ISC (reviewed by the Annual
(incl. Incident Response and Recovery Management/ Board)
Cyber Crisis Management and Cyber Security Policy and
Cyber Crisis Management Plan (CCMP))
Enterprise-wide risk management policy/ operational risk RMC in consultation with Periodic
management policy needs to incorporate IT-related risks the ITSC

Change and Patch Management Not specified Not specified

Data Migration Not specified Not specified
IS Audit Audit Committee Annual
Master Direction on Outsourcing of Information Technology Services
● The RBI published the Master Direction on Outsourcing of ● IT outsourcing activities of Specified NBFCs were previously
Information Technology Services on April 10, 2023 covered under Section - A of the Master Direction -
● These Directions apply to the regulated entities of the RBI Information Technology Framework for the NBFC Sector
(RE) including non-banking financial companies in the ● Such NBFCs as well as the other REs to whom the new
Middle-layer and above (‘Specified NBFCs’) and are effective Directions apply are required to comply with the provisions of
from October 1, 2023 the new Directions as per below timelines-
● The Directions apply to “Material Outsourcing” ○ New agreements/ agreements renewable before effective
date: Preferably by the agreement/ renewal date but not
● The Directions, inter alia, provide for - later than 12 months from the issuance of new Directions
○ Role of the RE to oversee and monitor the activities ○ Agreements coming into force on or after the effective
of service providers date: From the date of agreement
○ Assessment of need for outsourcing and attendant ○ Agreements due for renewal on or after the effective date:
risks By the renewal date or 36 months from the issue of the
○ Creating an inventory of services provided by the Directions, whichever is earlier
service providers
○ Governance framework in terms of having a Board-
approved IT outsourcing policy with responsibilities
demarcated among the Board, senior management and
IT function
○ Undertaking due diligence before engaging a service Read our article here -
RBI regulates outsourcing of IT Services by financial entities
providers on a risk-based approach
○ BCP and DR
Innovations and newly introduced concepts
 ONDC for Financial Services
● ONDC, a government initiative, undertook the
mission of democratising the digital e-
commerce space in India. As on November
2023, ONDC was live in 500+ cities with 53
network participants and 2.2 lacs sellers/
service providers
ONDC for Financial Services
● Building on the success in the e-commerce
space, ONDC now aims at leveraging its
architecture for the provision of financial
services in four domains namely credit,
insurance, investments, and gift cards
● The architecture provides a common public
digital infrastructure for LSPs and lenders with
the aim to reduce operational costs and expand
reach
● In the first phase, ONDC plans to enter the
credit sector by providing a platform for Read our article here -
Introducing Financial Services on ONDC: Opportunities & Challenges for
unsecured personal loans as well as GST-based Digital Lenders
invoice loans to merchants.
 UPI - Operation of Pre-sanctioned Credit Lines
● RBI vide its circular dated. Sept. 04, 2023 ● UPI Apps are also set to become credit cards but
expanded the scope of UPI by enabling transfer to better:
/ from pre-sanctioned credit lines at banks
○ Virtual facility - No plastic
● Further, NPCI vide its notification dated. Sept. 20, ○ Users will be able to discover credit line a/c
2023 has come out with instructions to enable through mobile
permitted lenders to effectively enhance their ○ phone App
credit offering through UPI ○ Existing devise binding controls continue to
apply
● This change encourages a expansion in credit
○ Online Disputes Resolution
product offering by banks especially in the short
○ Speedy settlement as per existing UPI
term retail credit segment. NBFCs have often
settlement process
provided the last mile connectivity in such lending
○ Inward payment to UPI ID to be auto-treated
and one may expect to witness greater
as repayment if only credit line a/c linked
collaboration between banks and NBFCs in credit
○ AutoPay may be used to pay dues
delivery as a result of this change

Read our article here -

UPIs become virtual credit cards: A game changer in credit delivery
 Digital Personal Data Protection Act, 2023
● The Digital Personal Data Protection Act, 2023 is a comprehensive act on data privacy and protection
● The Act introduces the concepts of Personal Data, Data Principal, Data Fiduciary and Data Processor
● Financial services industry, including lenders like Banks and NBFCs, will get covered under the ambit of the proposed Act, as
information shared by customers/ borrowers of such entities will involve “Personal Data” and actions of lenders amounting to
“processing” will come under this law
 Digital Personal Data Protection Act, 2023 (contd.)
● The Act mandates an explicit and informed consent ● Additional requirements place upon “Significant Data
from the Data Principal, subject to a carve-out for Fiduciaries” -
“legitimate uses”, which is regarded as ‘deemed consent’. ○ Appointment of DPO
○ Performance of data protection impact assessments/
● Data Fiduciaries are required to provide prior notice to
audit
Data Principals for all cases where data processing
requires consent of the Principal. ● The Act allows personal data to be retained by the Data
Fiduciary or its authorised Data Processor, till a
● The Act is light in prescribing any specific cybersecurity
"reasonable period" post completion of the
measures. Personal data protection breaches are,
specified purpose or from withdrawal of consent by
however, subject to heavy penalty.
the Data Principal to store/ process such data,
● The Act requires Data Fiduciaries to provide notice of whichever is earlier.
data breaches to the Data Protection Board that will
● The Act, however, allows the Data Fiduciary to retain
be established under the Act and also to every Data
personal data for a longer period if any law so requires.
Principal whose personal data is affected by such breach.
● The Act does not impose any data localisation
● Data Fiduciaries mandated to have grievance redressal
requirement on the Data Fiduciaries, however, it
mechanism for any complaints from Data Principals under
confers on the Central Government the authority to
the law. Unaddressed grievance may be escalated to the
restrict, by notification, transfer of personal data by a Data
Data Protection Board established under the Act.
Fiduciary for processing to such country/ territory
Read outside
our article here -
India as notified.
Digital Personal Data Protection Bill 2023: Analysing the Impact on Digital
Lenders
Draft regulations for comments
 Wilful Defaulters
◼ Upper Layer and Middle Layer NBFCs get right to tag defaulters as wilful
◼ Major obligations of NBFCs include:
◼ Identification of an NPA as to whether it may fall into the category of Wilful Defaulter
◼ Having an Identification Committee, Review Committee, etc. for the process of declaration
◼ Post declaration, appropriate filing with Credit Information Companies(CICs)
◼ Review of status of Wilful Defaulters by the audit committee
◼ Reporting of Wilful Defaulters in the List of Wilful Defaulters with CICs
◼ Once classified as a Wilful Defaulter, the tag can only be removed if the defaulting borrower undertakes
either of the following:
◼ The defaulting borrower clears his dues
◼ The defaulting borrower enters into a compromise settlement with the lender, and the entire
settlement consideration is cleared
◼ The defaulting borrower clears so much of his dues as to bring the outstanding amount to less than
Rs 25 lacs
◼ The defaulting borrower undergoes a CIRP which is implemented; however, the promoters of the
defaulter will continue to be classified as Wilful Defaulter
◼ Large defaulter is based on two conditions:
◼ Size of the default: Rs 1 crore of outstanding
◼ Vintage of the default: Should have been classified as doubtful or loss by the lender
◼ Monthly filing of large defaulters to all CICs
 Master Directions on Outsourcing of Financial Services (Draft)
● Issued the Draft Master Direction on October 26,2023
● In line with RBI’s Monetary Policy Statement on Development and Regulatory Policies dated 5 August
2022
● Objective:-
○ Ensuring harmonisation of extant guidelines issued to the different categories of regulated entities.
○ Consolidation of the guidelines under one guideline.
Applicability Meaning

● Regulated Entities (REs) Distinction: Meaning:

○ Commercial Banks (LAB’s, RRB’s, ● Outsourcing: The functions ● As per the Basel 2005 document,
PB’s & SB’s) which, in normal course, are “a RE’s use of a third party (either
○ AIFI’s expected to be undertaken by group entity or external entity) to
○ NBFCs the financial services entity itself, perform activities on a continuing basis
○ Cooperative Banks and which form a part of its that would normally be undertaken by
○ Credit Information Companies. ordinary business the regulated entity, now or in the
● Type of Outsourcing ● Professional Service future”
○ Material procurement: Sourcing and ● ‘continuing basis’ would include:
○ Non Material Outsourcing buying of services for business ○ agreements for a limited
○ Sub-contracted Outsourcing from professionals/companies. period,
○ perpetual agreements - not
permitted
What constitutes financial services outsourcing arrangement ? (Annex 1)

● Application processing (loan origination, credit

● Function legally required to be performed by a
cards);
service provider;
● Middle and Back office operations (EFT, payroll &
● Telecommunication services,
order processing);
● Postal and Courier services and public utilities;
● Claims administration (loan negotiation, processing,
● Market information services,
collateral management, collection of bad loans);
● Common network infrastructure;
● Document processing (cheques, credit card and bill
● Global financial messaging infrastructure subject to
payments);
oversight by relevant regulators;
● Cash management, Manpower Management
● Acquisition of services that would otherwise not
(training);
be undertaken by the RE;
● Marketing and research (Product development,
● Correspondent Banking services.
media relation, telemarketing.
Functions which cannot be outsourced:

● Core management functions:

○ Decision-making
○ Ensuring compliance with KYC norms;
● Policy formulation; (currently applicable to co-operative banks, now been extended to all REs)
● According sanction of loans through a service provider as per a pre-decided criterion -
permitted, provided RE can demonstrate the decision to lend was solely its own, and the
service provider is merely acting as a facilitator.
● For NBFCs in a group or conglomerate, certain activities were permitted to be outsourced
within the group, subject to compliance with the instructions specified- Reference to the same
has now been removed in the draft MD.
● Outsourcing of the Internal Audit function (experts including former employees can be hired
on a contractual basis).
What is Material Outsourcing?

● Material Outsourcing arrangement has been redefined as:

○ an outsourcing arrangement that –
■ in the event of failure of service or breach of security, has the potential to either materially
impact the Company’s
● business operations, reputation, strategies, or profitability; or
● ability to manage risk and comply with applicable laws and regulations ; or
■ in the event of any unauthorised access or disclosure, loss or theft of customer information,
may have a material impact on the RE’s customers.
● Materiality of an outsourcing arrangement will be considered on a gross basis,
○ Prior to application of any risk mitigations or controls.
Factors to classify outsourcing arrangement as material

Existing Factors Factors newly added

● Level of importance of the activity being outsourced; Additional criteria to determine materiality:
● Significance of the risk posed by the same; ● Degree of difficulty, including the time taken,
● Potential impact of the outsourcing on earnings, in:
solvency, liquidity, capital and risk profile
○ finding an alternative service provider
● Potential impact on Company's brand value and
or
reputation,
● Ability to achieve business objectives, plans and, ○ bringing the business activity in-house.
strategies if the service provider fail to perform the ● Impact on the Company's counterparties and
service; the financial market, if the service provider fail
● Cost of outsourcing as a proportion of total operating to perform the service.
cost. Company can classify other outsourcing
● Aggregate level of dependency to that particular service arrangements as material apart from the above given
provider, (various functions are outsourced to the same factors.
service provider);
● Significance of activities outsourced in context of
customer service and protection
Parameters to evaluate the service provider’s capability

Existing Factors Factors newly added

● Past experience and competence to implement the ● conflict of interest

proposed activity; ● ability of the service provider to effectively service
● Financial soundness and ability to service all customers with confidentiality (currently
commitments under adverse conditions; applicable to cooperative banks now been
extended to all REs )
● Business reputation and culture, compliance,
● disaster recovery arrangements and track records,
complaints and outstanding or potential litigation; ● degree of reliance on sub-contractors,
● Business continuity management, audit coverage, ● adequacy of service providers insurance coverage;
internal controls, security, and reporting and ● external factors such as:
monitoring environment; ○ Economic,
● Due diligence by service provider of its employees; ○ Legal,
○ Political and social environments of the
jurisdiction where service provider
operates.
Compliance Obligations for Material Outsourcing Arrangements

● Maintain a centralised record of all material outsourcing agreements

● The outsourcing agreement must specify:
○ service locations,
○ data processing regions,
○ outline procedures for notifying the RE if the service provider changes its location
● Mandatory periodic joint testing and recovery exercises by RE and Service provider at least annually
● Report to RBI on a quarterly basis of the material outsourcing arrangements (format may be
specified later)
● RBI shall review during inspections:
○ Effective implementation
○ Robust risk management systems.
Additional requirements to be added in the Outsourcing Agreement
● Service-level agreements (SLA), (specifically mentioned);

○ SLA - clearly formalise the performance criteria to measure quality and quality of the service levels;
● Approval for the use of subcontractors shall be subject to compliance with the provisions of the draft MD;
● Preservation of documents and data by the service provider;
● Specify the type of material adverse events (e.g. data breaches, service unavailability,etc.) and incident reporting
requirements under which the service provider should report to the Company;
● The events of default and the indemnities, resolution process, remedies and recourse of the respective parties in
the agreement;
● Storage of data must be in compliance with extant regulations notified by the RBI.
Monitoring and Control Obligations

● Reports on the monitoring and control activities - ● Publicise in leading local newspaper the termination of
reviewed periodically by Senior Management. outsourcing agreement (indicative reasons such as
○ Any adverse development- place before the board fraud, leakage or breach of information, etc.) - where
or committee for information. SR interacts with customers
● Perform comprehensive pre-and post-implementation ● Immediately notify RBI - any significant problems -
review: potential to materially affect the outsourcing
○ new outsourcing arrangements; arrangement & the business operations, profitability,
○ amendments to the current outsourcing reputation or strategies.
arrangements. ● Provisions of the RBI guidelines on ‘Outsourcing of
● Submit Annual Compliance Certificate to RBI Cash Management – Reconciliation of Transactions’, -
giving the particulars of: applicable in case of outsourcing of cash management
○ outsourcing contracts, (currently applicable to banks extended to all the
○ prescribed periodicity of the audit by the internal or REs.)
external auditor, ● Formulate effective process to review and approve
○ major findings of the audit, any Incentive Compensation that may be embedded in
○ actions taken by the board. the contracts.
Role of Board and Senior Management

Role of the Company Role of Senior Management (Additional)

● Establish an inventory of services provided by SR These functions were earlier performed by the
(including key entities involved in their supply chain), Board:
map their dependency on third parties; ● Regularly reviewing:
● Periodically evaluate the information received from the ○ outsourcing policies and procedures;
service providers; ○ strategies and arrangements for their
continued relevance, safety and
● Company responsible even for the actions of subagents effectiveness;
engaged by their service providers; ○ to identify new material outsourcing
risks as they arise.
● Deciding on business activities of a material
Role of the DSA/DMA nature to be outsourced and approving such
arrangements
● Draft MD prohibit intimidation and harassment during
recovery practices (inappropriate messages, threats,
false representations, or persistent calls) - which
includes repeated calling
● Recovery agents cannot contact borrowers/guarantors
before 8:00 a.m. or after 7:00 p.m., except MFI Loans.
 General Restrictions and Obligations

Outsourcing in the group Other General Obligations

● Confidentiality and Security
● REs cannot outsource activities to a service provider if it is ○ Company to share data with the service provider through
not a group company where it is owned or controlled by: secure channels.
○ Both sharing and storage of data with the service
○ key managerial personnel of the Company or provider in an encrypted manner.
○ approver of outsourcing arrangement. ○ Formulate structured process for secured removal,
disposal and destruction of data by the service provider.
● Exception:- Permitted if approved by the board of
● Grievance Redressal
directors or committee of the RE & appropriate ○ Additional alternative redressal options introduced
disclosures being made. ■ Customer Education Protection Cell, (If RBI
● Other provisions remain the same. Mainly clarified - Ombudsman Scheme does not apply) &
■ Grievance Redress Mechanisms of the respective
○ To maintain an arm’s-length relationship with respect supervisory authorities, etc.
to sharing of data and servers in such outsourcing ● Centralised List of Outsourced Agents
○ Conditions of the outsourcing agreement must be set ○ Premature termination of a service provider’s contract
for specified reasons - inform the concerned Self-
on an arm’s-length basis & Regulatory Organisation (SRO).
○ Must explicitly deal with conflicts of interest ■ The SRO will have to maintain a caution list of such
service provider
Speak to
Kolkata Delhi Mumbai

1006-1009 Krishna Building A-467, First Floor 403-406,

224 AJC Bose Road Kolkata – 700 017 Defence Colony, 175, Shreyas Chambers,

us! Phone: 033- 2281 7715/ 3742/

40010157
E: finserv@vinodkothari.com
New Delhi – 110 024
Phone: 011- 4131 5340
E: delhi@vinodkothari.com
D.N. Road, Fort, Mumbai – 400 001
Phone: 022 – 2261 4021 / 6237 0959
E: bombay@vinodkothari.com

Connect
with us!
BUSINESS MODEL ASSESSMENT | FOR KFMSPL | BY VINOD KOTHARI CONSULTANTS 58